Roles within workspaces

Roles are defined within the server or by products that integrate with H2O Workspaces. They are not user-definable or modifiable.

Several standard roles are available.

Workspace owner

Description: Default role for creators of the workspaces.
Name: roles/workspace-owner
Allowed actions: actions/workspaceserver/workspaces/*
- Full permission to modify and delete the workspace
- Full permission to read and modify role assignments
- Full permission to read and modify permission presets
- Full permission to DocAI
- Full permission for Orchestrator
- Full permission to Drive objects
- Full permission for Secure Store
- Full permission for App Store instances
- Full permission for Engine Manager workloads (DriverlessAI, H2O-3, Notebook Engine)
- Full permission for Audit Trail objects
- Full permission for MLOps
- Read permissions for Telemetry usage information

Personal workspace owner

Description: Default role for personal workspaces.
Name: roles/personal-workspace-owner
Allowed actions: actions/workspaceserver/workspaces/*
- Full permission to modify and delete the workspace
- Read permission for role assignments
- Read permission for permission presets
- Full permission to DocAI
- Full permission for Orchestrator
- Full permission to Drive objects
- Full permission for Secure Store
- Full permission for App Store instances
- Full permission for Engine Manager workloads (DriverlessAI, H2O-3, Notebook Engine)
- Full permission for Audit Trail objects
- Full permission for MLOps

Workspace collaborator

Description: Role for users that can collaborate on workspaces.
Name: roles/collaborator
Allowed actions:
- Read permission to workspace details
- Read permission for role assignments
- Read permission for DocAI projects
- Full permission to DocAI resources
- Read permission for Orchestrator workflows
- Read permission for Orchestrator workflow executions
- Read permission for Orchestrator workflow triggers
- Read permission for Orchestrator runnables
- Read permission for Orchestrator executor pools and executors

Reader

Description: Read-only Access to workspace and majority of the workspace resources.
Name: roles/reader
Allowed actions:
- Read permission to workspace details
- Read & list permission for H2O Drive objects
- Read permission for App Store app instances
- Read permission for Orchestrator workflows
- Read permission for Orchestrator workflow executions
- Read permission for Orchestrator workflow triggers
- Read permission for Orchestrator runnables
- Read permission for Orchestrator executor pools and executors

Writer

Description: Read and Write Access to workspace and main resources.
Name: roles/writer
Allowed actions:
- Update permission to workspace details
- Read, list, write, and delete permission for H2O Drive objects
- Read and write permission for App Store instances

Notebook Engine admin

Description:
Name: roles/enginemanager-notebook-engine-admin
Allowed actions:
- Create, get, list, update, delete, pause, resume, and access Notebook Engine instances
- Create, get, list, update, and delete Notebook Engine images
- Create, get, list, list assigned, update, and delete Notebook Engine profiles

Notebook Engine user

Description:
Name: roles/enginemanager-notebook-engine-user
Allowed actions:
- Create, get, list, update, delete, pause, resume, and access Notebook Engine instances
- Get and list Notebook Engine images
- List assigned Notebook Engine profiles

Notebook Engine reader

Description:
Name: roles/enginemanager-notebook-engine-reader
Allowed actions:
- Get and list Notebook Engine instances
- Get and list Notebook Engine images

H2O Engine admin

Description:
Name: roles/enginemanager-h2o-engine-admin
Allowed actions:
- Create, get, list, update, delete, pause, resume, download logs, and access H2O-3 Engine instances
- Create, get, list, update, and delete H2O-3 Engine images
- Create, get, list, list assigned, update, and delete H2O-3 Engine profiles

H2O Engine user

Description:
Name: roles/enginemanager-h2o-engine-user
Allowed actions:
- Create, get, list, update, delete, pause, resume, download logs, and access H2O-3 Engine instances
- Get and list H2O-3 Engine images
- List assigned H2O-3 Engine profiles

H2O Engine reader

Description:
Name: roles/enginemanager-h2o-engine-reader
Allowed actions:
- Get, list, and download logs of H2O Engine instances
- Get and list H2O Engine versions

DAI Engine admin

Description:
Name: roles/enginemanager-dai-engine-admin
Allowed actions:
- Create, get, list, update, delete, pause, resume, download logs, and access DAI Engine instances
- Create, get, list, update, and delete DAI Engine images
- Create, get, list, list assigned, update, and delete DAI Engine profiles

DAI Engine user

Description:
Name: roles/enginemanager-dai-engine-user
Allowed actions:
- Create, get, list, update, delete, pause, resume, download logs, and access DAI Engine instances
- Get and list DAI Engine images
- List assigned DAI Engine profiles

DAI Engine reader

Description:
Name: roles/enginemanager-dai-engine-reader
Allowed actions:
- Get, list, and download logs of DAI Engine instances
- Get and list DAI Engine versions

DAI admin

Description: Allow admin actions in DAI
Name: roles/dai-admin
Allowed actions: actions/driverlessai/admin/**
- Full permission for admin actions in DAI

Drive writer

Description: Role for users that may read and write to drives.
Name: roles/drive-writer
Allowed actions:
- Read, list, write, and delete permission for H2O Drive objects

Drive reader

Description: Role for users that may read from drives.
Name: roles/drive-reader
Allowed actions:
- Read and list permission for H2O Drive objects

Orchestrator workflow viewer

Description: Role which give permissions to read workflows
Name: roles/orchestrator-workflow-viewer
Allowed actions:
- Get permission for workflows
- Get permission for workflow triggers and executions

Orchestrator Workflow Runner

Description: Role which give permissions to read workflows,execute them and manage triggers
Name: roles/orchestrator-workflow-runner
Allowed actions:
- Get and execute permission for workflows
- Create, get, edit, pause, resume, and delete permission for workflow triggers
- Get permissions for workflow executions

Orchestrator workflow editor

Description: Role which give permissions to read and update workflows
Name: roles/orchestrator-workflow-editor
Allowed actions:
- Get, update, execute permission for workflows
- Create, get, edit, pause, resume, and delete permission for workflow triggers
- Get, cancel, and delete permission for workflow executions

Orchestrator workflow owner

Description: Default role for creators of workflows
Name: roles/orchestrator-workflow-owner
Allowed actions:
- Get, execute, update, delete for workflows
- Create, get, edit, pause, resume, delete for workflow triggers
- Get, cancel, and delete permission for workflow executions

Orchestrator runnable viewer

Description: Role which give permissions to read runnables
Name: roles/orchestrator-runnable-viewer
Allowed actions:
- Get permission for runnables

Orchestrator runnable editor

Description: Role which give permissions to read and update runnables
Name: roles/orchestrator-runnable-editor
Allowed actions:
- Get and update permission for runnables

Orchestrator runnable owner

Description: Default role for creators of runnables
Name: roles/orchestrator-runnable-owner
Allowed actions:
- Get, update, delete permission for runnables

Feedback

Submit and view feedback for this page
Send feedback about H2O AI Cloud | Docs to cloud-feedback@h2o.ai

Workspace owner​

Personal workspace owner​

Workspace collaborator​

Reader​

Writer​

Notebook Engine admin​

Notebook Engine user​

Notebook Engine reader​

H2O Engine admin​

H2O Engine user​

H2O Engine reader​

DAI Engine admin​

DAI Engine user​

DAI Engine reader​

DAI admin​

Drive writer​

Drive reader​

Orchestrator workflow viewer​

Orchestrator Workflow Runner​

Orchestrator workflow editor​

Orchestrator workflow owner​

Orchestrator runnable viewer​

Orchestrator runnable editor​

Orchestrator runnable owner​

Workspace owner

Personal workspace owner

Workspace collaborator

Reader

Writer

Notebook Engine admin

Notebook Engine user

Notebook Engine reader

H2O Engine admin

H2O Engine user

H2O Engine reader

DAI Engine admin

DAI Engine user

DAI Engine reader

DAI admin

Drive writer

Drive reader

Orchestrator workflow viewer

Orchestrator Workflow Runner

Orchestrator workflow editor

Orchestrator workflow owner

Orchestrator runnable viewer

Orchestrator runnable editor

Orchestrator runnable owner